The Payment Card Industry Data Security Standard (PCI DSS)
Presentation outline Why PCI DSS? Compliance and validation levels Cardholder data The legal perspective Performing a PCI DSS audit Decreasing costs through automation
What is the Payment Card Industry Data Security Standard (PCI DSS)? The PCI DSS is a set of security standards drawn up by the world’s major credit card companies including VISA and MasterCard to protect credit and debit card data To date, these requirements govern all the payment channels including retail, mail orders, telephone orders and e-commerce It was previously a separate information security standard, however it has now become a global security standard
Why is the PCI DSS required? Cardholder data theft and fraud have been around since the mid-80’s and this prompted Visa to establish the first security program The recent TJX security breach in which at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network highlights the increased need for greater security According to InformationWeek, hackers can sell stolen credit card data on the Black market at a rate of USD 490 for a card number with PIN
PCI Data Security Standard v1.1 (1/3) The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas: Collection and storage of all log data so that it is available for analysis Reporting on all activity so as to be able to prove compliance on the spot Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately
PCI Data Security Standard v1.1 (2/3) The PCI DSS framework is also made up of six categories as follows: PCI DSS categories Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy
PCI Data Security Standard v1.1 (3/3) PCI DSS Requirements 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors
What is “cardholder data”? All information from a credit/debit card used in a transaction - pcianswers.com Cardholder data elements Primary Account Number (PAN) Cardholder name Expiration date Sensitive Authentication Data (SAD) Magnetic stripe data Card Validation Code (CVC) Personal identification number (PIN) 1234 123
Cardholder data storage The PCI DSS provides protection of cardholder data It is permitted to store the following details as long as they are encrypted, hashed or truncated: PAN, Cardholder name, Expiration date, Service Code
Typical transaction flow Ž Œ Merchant’s bank then goes through the Credit Card Interchange for transaction approval Œ A customer uses a credit card to pay a merchant for purchased goods Ž Payment Gateway passes transaction via a secure connection to the Merchant’s Bank The merchant submits the credit card transaction to the Payment Gateway
Who should be PCI DSS compliant? As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies This applies to all entities where cardholder data is Stored Transmitted Processed All entities described as merchants or service providers must become compliant
Merchants Entities that accept credit cards as payment Examples of sectors affected Online trading (e.g. ebay.com) Retail (e.g. Wal-Mart) Higher Education (e.g. Universities) Health (e.g. Hospitals) Travel and entertainment (e.g. Restaurants) Energy (e.g. Gas/Service stations) Finance (e.g. Insurance companies)
Merchant compliance levels MERCHANT LEVELS Level 1 Merchants from whom cardholder data has been compromised Merchants with more than 6 million annual credit card transactions Level 2 Merchants with between 1 and 6 million annual credit card transactions Level 3 Merchants with between 20,000 and 1 million annual credit card transactions Level 4 All other merchants
Service providers Entities that provide services to merchants Examples of services Payment gateways (e.g. PayPal) Payment processors E-commerce host providers Managed service providers Credit reporting agencies Backup management companies Paper shred companies
Service provider compliance levels SERVICE PROVIDER LEVELS Level 1 All payment processors and payment gateways Level 2 Service providers not in Level 1, with more than 1 million annual credit card accounts/transactions Level 3 Service providers not in Level 1, with fewer than 1 million annual credit card accounts/transactions
PCI DSS compliance procedures Merchant On-site security audit Self-assessment questionnaire Network Scan Level 1 Required Annually Required Quarterly Level 2 Level 3 Level 4 Service Provider By: Qualified Security Assessor (QSA) In-house Approved Scan Vendor (ASV) Deliverable: Report on Compliance (ROC) Self-Assessment Questionnaire Scan report
Cardholder data compromises “Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected” - PCI DSS glossary Incident response plan Requirement 12.9 Why report a compromise? Limit the damage Reporting channels Internal incident response team Credit card associations and acquirers Local law enforcement Who risks a compromise?
Consequences Financial Reputation Operational Could lead to fines of up to USD 500,000 and expensive litigation costs Reputation A negative incident could have a big impact on a brand name Involvement of law enforcement agencies Operational Level 2, 3 or 4 + compromise = Level 1 Could lead to a potential loss of card processing privileges
Preparation for PCI DSS compliance Become familiar with the PCI DSS requirements Identify all cardholder data and remove unnecessary cardholder data Perform a security gap analysis Create an action plan and call in experts for advice if necessary
PCI DSS compliance costs Merchant On-site security audit Self-assessment questionnaire Network Scan Level 1 Required Annually Required Quarterly Level 2 Level 3 Level 4 Service Provider By: Qualified Security Assessor (QSA) In-house Approved Scan Vendor (ASV) Deliverable: Report on Compliance (ROC) Self-Assessment Questionnaire Scan report
Pain points Maintain secure systems and applications Audit your network Scan for vulnerabilities Deploy patches/service packs Monitor the network Log user activity Log access to cardholder data Alert on important events Provide documented evidence Maintain secure systems Monitor activity Take remedial action
Automation through software Drastically reduce manual, repetitive tasks: Network audits Vulnerability management Activity monitoring Real-time alerts Remedial action Report generation
PCI DSS and GFI network security products PCI DSS Requirements 1. n 2. 3. 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. 9. Restrict physical access to cardholder data 10. 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors GFI EventsManager GFI LANguard N.S.S. Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied system passwords & other security parameters Protect stored cardholder data Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data
ROI and business benefits Automation Reduce manual and repetitive tasks Reduce administrator’s workload Trigger proactive remedial actions Protection Complement your security policy Notify you on potential security threats Gives you peace of mind Savings No PCI DSS fines No outsourced consultancy fees Business continuity
Conclusion Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies GFI Software offers such businesses two products, GFI EventsManager and GFI LANguard Network Security Scanner (N.S.S.) to help them on their road to becoming compliant
Corporate overview Founded in 1992 Over 200 employees worldwide Offices in Malta, London, Raleigh, Hong Kong and Adelaide GFI products installed on over 200,000 networks worldwide, mostly SMBs A channel-focused company with over 10,000 partners throughout the world The vision To become the technology of choice for IT security and productivity solutions. The mission To provide quality, cost-effective content security, network security and messaging solutions to IT professionals around the world.